Passwords and the Post It Note Culture

Oct 21, 2014

It’s becoming increasingly difficult to ignore the constant reminders about how important it is to keep online security at as a high a level as possible. However, even after this security obsession, we still continue to leave passwords to sensitive business systems and confidential data on pieces of paper on our desks for anyone to see.

Of course, we have to keep a reminder of all of these passwords somewhere, but these Post It notes are most definitely not the solution.

Does your business have a policy on passwords?

Here are 5 things that your policy could include:

1. Use Strong Passwords

Of course, having a strong password is the first step to keeping confidential business information safe. Here’s what a strong password should and shouldn’t include:

A strong password should not contain any part of the user’s name

It should contain a minimum of 6 characters

It should contain, at minimum, 3 of the 4 following categories

Uppercase letters

Lowercase letters

Numbers, from 0 to 9

Non- alphanumeric characters, such as !, *, %, #

2. Define the Age of Passwords

Giving age limits to your password means that, if an attacker should learn the password (or create their own) it will only work for a specified amount of time. These password age limits also mean that passwords cannot be changed until they have reached the specified number of days old.

The length you allow a password age to be is totally dependant on what is suitable for your business, but between 30 to 90 days is the usual recommendation.

3. Use a Password Vault

It’s highly likely that, if you’re running a business, you will have hundreds of accounts for which you will also have a password. It would be nigh on impossible to remember each and every of these different passwords, therefore you must store them somewhere.

As mentioned earlier, notes on your desk are most definitely not the place to do this. Instead, password vaults work in a way that all passwords stored in it are encrypted. Then you, and whomever else you give access to the vault, has a master password (that should be complex and regularly changed) in order to access the other passwords.

Password managers such as 1Password and LastPass, are great choices that work cross platform and cross device.

4. Be Twice as Vigilant with Emails

Email accounts hold a plethora of different pieces of confidential information about businesses, thus passwords for these accounts should be especially sophisticated. This is especially true for those sites and accounts that have a ‘Forgotten Password’ tool.

Once a hacker has access to your email account, they, in theory, have access to most of your others.

As a rule of thumb, treat your email security as you would your bank account security.

5. Enforce an Account Lockout Policy

The idea of a lockout policy is that it will block and prevent access to anyone that does not succeed in entering the correct password after a specified number of times. The only issue with these policies is that as well as locking out potential attackers, they can also lock out authorised users.

You should ensure that, before the user is locked out, they are allowed a sufficient number of password attempts. This will prevent authorised users being locked out for simply mistyping the password.

Being prudent with passwords and introducing formal password policies are the number-one way to prevent breaches in your systems. While these can still happen, even with a sound policy, your business will be at a much lower risk of falling victim to them.